CVE-2016-10661

Description

Affected versions of `phantomjs-cheniu` insecurely download an executable over an unencrypted HTTP connection. In scenarios where an attacker has a privileged network position, it is possible to intercept the response and replace the executable with a malicious one, resulting in code execution on the system running `phantomjs-cheniu`. ## Recommendation No patch is currently available for this vulnerability. As this package is just a fork of Medium's [`phantomjs-prebuilt`](https://github.com/Medium/phantomjs) package, the best mitigation is currently to install the `Medium` version of [`phantomjs-prebuilt`](https://github.com/Medium/phantomjs). This can be done via the following command: ``` npm i phantomjs-prebuilt ```

How to fix CVE-2016-10661

No fixed version has been published yet. Mitigate by removing the affected package or applying upstream guidance from the references below.

• —no fix listed

Is CVE-2016-10661 being exploited?

Low — EPSS is 0.5%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

• from 0, <= 2.0.1

References (3)

• ADVISORYgithub.com/advisories/GHSA-w364-8vfv-gvf5
• ADVISORYnvd.nist.gov/vuln/detail/CVE-2016-10661
• WEBwww.npmjs.com/advisories/262